Inactive Another Google Redirect Virus - Win 7 - 64bit

[raspo86]

I just restored the factory image on my PC and am still getting redirected to Scour, my-search-results and other various malicious sites. I followed the malware removal 8 step process and here's what I came up with. I know you guys are busy helping people - we really appreciate it.
_________________________________________________________________

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5129

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/16/2010 6:13:38 PM
mbam-log-2010-11-16 (18-13-38).txt

Scan type: Quick scan
Objects scanned: 138389
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_________________________________________________________________

GMER Log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-16 18:19:52
Windows 6.1.7600
Running: h65kxkux.exe


---- Files - GMER 1.0.15 ----

File C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb 524288 bytes

---- EOF - GMER 1.0.15 ----

________________________________________________________________

Attach.txt (from DDS)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/16/2010 5:23:42 PM
System Uptime: 11/16/2010 6:07:49 PM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | P43 Neo3 (MS-7514)
Processor: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz | CPU 1 | 2603/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 425 GiB total, 406.94 GiB free.
D: is FIXED (NTFS) - 40 GiB total, 35.683 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/16/2010 5:25:05 PM - Windows Update
RP2: 11/16/2010 5:45:17 PM - Windows Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Avira AntiVir Personal - Free Antivirus
DirectX 9 Runtime
JMicron JMB36X Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
NVIDIA Stereoscopic 3D Driver
Realtek Ethernet Controller Driver For Windows Vista and Later
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator XE
Roxio Express Labeler 3
Roxio Update Manager

==== Event Viewer Messages From Past Week ========

11/16/2010 6:07:06 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
11/16/2010 6:06:03 PM, Error: Service Control Manager [7034] - The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
________________________________________________________________

DDS.txt (also from DDS)


DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by Matt at 18:21:23.64 on Tue 11/16/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2949 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10a.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-11-11 55280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-11-16 135336]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-11-16 267944]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-11-16 81584]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-11-11 239616]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2009-6-10 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2009-6-10 166384]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-6-10 1124848]

=============== Created Last 30 ================

2010-11-17 01:15:27 -------- d-----w- C:\Windows\System32\catroot2
2010-11-16 23:10:18 -------- d-----w- C:\Users\Matt\AppData\Roaming\Malwarebytes
2010-11-16 23:10:13 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-11-16 23:10:11 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-11-16 23:10:10 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-11-16 23:10:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-16 23:04:24 -------- d-----w- C:\Users\Matt\AppData\Roaming\Avira
2010-11-16 23:03:00 81584 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2010-11-16 23:02:59 -------- d-----w- C:\Program Files (x86)\Avira
2010-11-16 23:02:59 -------- d-----w- C:\PROGRA~3\Avira
2010-11-16 22:57:23 169320 ----a-w- C:\PROGRA~3\Microsoft\Windows\Sqm\Manifest\Sqm10135.bin
2010-11-16 22:45:32 8006480 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{22031B4C-B693-45C7-B04C-D087610C6BF0}\mpengine.dll
2010-11-16 22:45:31 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-11-16 22:25:03 220672 ----a-w- C:\Windows\System32\wintrust.dll
2010-11-16 22:25:03 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2010-11-16 22:25:03 139264 ----a-w- C:\Windows\System32\cabview.dll
2010-11-16 22:25:03 132608 ----a-w- C:\Windows\SysWow64\cabview.dll

==================== Find3M ====================


============= FINISH: 18:21:47.69 ===============
_________________________________________________________________

Any help is greatly appreciated. I just did a fresh install but somehow this malware continues to redirect me to these malicious sites.

Thanks again,

Matt

 

[raspo86]

Just another piece of information. When I open task manager...there seem to be two iexplore.exe running. If I try to open a new tab in IE it just says "Connecting..." and the tabs become frozen. Every time I re-open IE it says that it closed unexpectedly. I just wanted to make sure I posted in case that helps.

Thank you.

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

========================================================================

Attach.txt part of DDS log is missing.

=========================================================================

When I open task manager...there seem to be two iexplore.exe running

If you see this while IE is open, it's normal in case of IE8.

========================================================================

Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections.

NOTE. You may need to re-check your router security settings, as described HERE

 

[raspo86]

Thanks for your quick reply. I went through the DNS flush and I am still getting redirected...this time not through Google but through Bing. I attempted to complete a generic search for "dog shelters" and tried to go to adoptapet.com but instead was redirected to:

http://shop6-3.forless.com/?pid=801&src=$USER_PLACEMENT_INV_ID$&keywords=dog+shelters

-------------------

Should I run the DDS again? If so, do I need to unplug my internet connection? I am still having issues with IE v8 - I will open a new tab and it just says "Connecting..." and then I cannot close the program unless I go through task manager.

I can get into my router's settings but I am sort of confused as to what I should do once I get there. I have Verizon DSL. Any suggestions?

Thanks again.

- Matt

 

[Broni]

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections.

Some routers may have "Reset" button.

 

[raspo86]

Sorry - I completely blanked out and forgot to tell you that I did follow your instruction. I completely turned my router off while my PC was turned off. I just restarted the router after flushing the DNS and experience the redirect as soon as I did a search via Bing in IE v8.

 

[Broni]

Turning router off won't do.
You have to reset it.

 

[raspo86]

I will try again...I did go through the CMD prompts again and I noticed that it said for net stop "dns client":

The DNS Client service is stopping.
The DNS Client service could not be stopped.

I will attempt to reset router this time. Be back in 5. Thanks for your persistence.

 

[Broni]

No problem

 

[raspo86]

Ahhh this is driving me crazy. I did find the little black reset button hiding in the back of the router. I reset and all the lights went off and back on. I am still getting redirect issues w/ Bing and those frozen IE windows and "Connecting..." tabs.

 

[Broni]

That's fine. I just wanted to make sure, it wasn't your router.

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[raspo86]

Here are the results:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: MICRO-STAR INTERNATIONAL CO.,LTD
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: MICRO-STAR INTERNATIONAL CO.,LTD
System Product Name: MS-7514
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 180):
0x02A58000 \SystemRoot\system32\ntoskrnl.exe
0x02A0F000 \SystemRoot\system32\hal.dll
0x00BD1000 \SystemRoot\system32\kdcom.dll
0x00CE7000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00D2B000 \SystemRoot\system32\PSHED.dll
0x00D3F000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00EEE000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F92000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA1000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00E00000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00E09000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00E13000 \SystemRoot\system32\DRIVERS\pci.sys
0x00E46000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00E53000 \SystemRoot\System32\drivers\partmgr.sys
0x00E68000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00E7D000 \SystemRoot\System32\drivers\volmgrx.sys
0x00ED9000 \SystemRoot\system32\DRIVERS\pciide.sys
0x00CC0000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00D9D000 \SystemRoot\System32\drivers\mountmgr.sys
0x00EE0000 \SystemRoot\system32\DRIVERS\atapi.sys
0x00DB7000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x00DE1000 \SystemRoot\system32\DRIVERS\jraid.sys
0x01094000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x010C3000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x010CE000 \SystemRoot\system32\drivers\fltmgr.sys
0x0111A000 \SystemRoot\system32\drivers\fileinfo.sys
0x0112E000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01236000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0113A000 \SystemRoot\System32\Drivers\msrpc.sys
0x013D9000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01000000 \SystemRoot\System32\Drivers\cng.sys
0x01200000 \SystemRoot\System32\drivers\pcw.sys
0x01211000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x014E9000 \SystemRoot\system32\drivers\ndis.sys
0x01400000 \SystemRoot\system32\drivers\NETIO.SYS
0x01460000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01603000 \SystemRoot\System32\drivers\tcpip.sys
0x0148B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01198000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x014D5000 \SystemRoot\System32\Drivers\spldr.sys
0x0183A000 \SystemRoot\System32\drivers\rdyboost.sys
0x01874000 \SystemRoot\System32\Drivers\mup.sys
0x01886000 \SystemRoot\System32\drivers\hwpolicy.sys
0x0188F000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x018C9000 \SystemRoot\system32\DRIVERS\disk.sys
0x018DF000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01945000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0196F000 \SystemRoot\System32\Drivers\Null.SYS
0x01978000 \SystemRoot\System32\Drivers\Beep.SYS
0x0197F000 \SystemRoot\System32\drivers\vga.sys
0x0198D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x019B2000 \SystemRoot\System32\drivers\watchdog.sys
0x019C2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x019CB000 \SystemRoot\system32\drivers\rdpencdd.sys
0x019D4000 \SystemRoot\system32\drivers\rdprefmp.sys
0x019DD000 \SystemRoot\System32\Drivers\Msfs.SYS
0x019E8000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01800000 \SystemRoot\system32\DRIVERS\tdx.sys
0x0181E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02CD7000 \SystemRoot\system32\drivers\afd.sys
0x02D61000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02DA6000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02DAF000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02DD5000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02C00000 \SystemRoot\system32\DRIVERS\serial.sys
0x02C1D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02C38000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02C4C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02C9D000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02CA9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02CB4000 \SystemRoot\System32\drivers\discache.sys
0x015DB000 \SystemRoot\System32\Drivers\dfsc.sys
0x02CC3000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03A46000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x03A68000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03A8E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x04884000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0534D000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x03AA4000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0534F000 \SystemRoot\System32\drivers\dxgmms1.sys
0x05395000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x053A2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x04800000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04811000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04835000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x04874000 \SystemRoot\system32\DRIVERS\serenum.sys
0x03B98000 \SystemRoot\system32\DRIVERS\parport.sys
0x03BB5000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x03BC5000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03BDB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03A00000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03A0C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x02DE4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x01073000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0121B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0182B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x011E4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x04880000 \SystemRoot\system32\DRIVERS\swenum.sys
0x03E77000 \SystemRoot\system32\DRIVERS\ks.sys
0x03EBA000 \SystemRoot\system32\DRIVERS\umbus.sys
0x03ECC000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x03F26000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05E0F000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x03F3B000 \SystemRoot\system32\drivers\portcls.sys
0x03F78000 \SystemRoot\system32\drivers\drmk.sys
0x05FF7000 \SystemRoot\system32\drivers\ksthunk.sys
0x000D0000 \SystemRoot\System32\win32k.sys
0x05E00000 \SystemRoot\System32\drivers\Dxapi.sys
0x03F9A000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03FA8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x03FB4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x03FBD000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x03FD0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x005B0000 \SystemRoot\System32\TSDDD.dll
0x03FDE000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x03E00000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x03E19000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x05E0C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03E22000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x03E2F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x03E4C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x00680000 \SystemRoot\System32\cdd.dll
0x0190F000 \SystemRoot\system32\drivers\luafv.sys
0x03E5A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x06006000 \SystemRoot\system32\drivers\WudfPf.sys
0x06027000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0603C000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x06054000 \SystemRoot\system32\drivers\HTTP.sys
0x0611C000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0613A000 \SystemRoot\System32\drivers\mpsdrv.sys
0x06152000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0617E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x061CB000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x06CE3000 \SystemRoot\system32\drivers\peauth.sys
0x06D89000 \SystemRoot\System32\Drivers\secdrv.SYS
0x06D94000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x06DC1000 \SystemRoot\System32\drivers\tcpipreg.sys
0x06C00000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0827C000 \SystemRoot\System32\DRIVERS\srv.sys
0x776E0000 \Windows\System32\ntdll.dll
0x48030000 \Windows\System32\smss.exe
0xFFA00000 \Windows\System32\apisetschema.dll
0xFF9D0000 \Windows\System32\autochk.exe
0xFF810000 \Windows\System32\setupapi.dll
0xFF770000 \Windows\System32\clbcatq.dll
0xFF6D0000 \Windows\System32\comdlg32.dll
0x778B0000 \Windows\System32\psapi.dll
0xFF650000 \Windows\System32\difxapi.dll
0xFF640000 \Windows\System32\nsi.dll
0xFF510000 \Windows\System32\rpcrt4.dll
0xFF4A0000 \Windows\System32\gdi32.dll
0xFF370000 \Windows\System32\wininet.dll
0xFF350000 \Windows\System32\sechost.dll
0xFF140000 \Windows\System32\ole32.dll
0x775C0000 \Windows\System32\kernel32.dll
0xFF060000 \Windows\System32\advapi32.dll
0xFEF80000 \Windows\System32\oleaut32.dll
0xFE1F0000 \Windows\System32\shell32.dll
0xFE1C0000 \Windows\System32\imm32.dll
0xFE0B0000 \Windows\System32\msctf.dll
0xFE060000 \Windows\System32\ws2_32.dll
0xFDFE0000 \Windows\System32\shlwapi.dll
0x778A0000 \Windows\System32\normaliz.dll
0xFDF90000 \Windows\System32\Wldap32.dll
0xFDEF0000 \Windows\System32\msvcrt.dll
0xFDE20000 \Windows\System32\usp10.dll
0xFDCA0000 \Windows\System32\urlmon.dll
0x774C0000 \Windows\System32\user32.dll
0xFDA40000 \Windows\System32\iertutil.dll
0xFDA30000 \Windows\System32\lpk.dll
0xFDA10000 \Windows\System32\imagehlp.dll
0xFD9D0000 \Windows\System32\wintrust.dll
0xFD930000 \Windows\System32\comctl32.dll
0xFD910000 \Windows\System32\devobj.dll
0xFD8A0000 \Windows\System32\KernelBase.dll
0xFD730000 \Windows\System32\crypt32.dll
0xFD6F0000 \Windows\System32\cfgmgr32.dll
0xFD6E0000 \Windows\System32\msasn1.dll
0x770B0000 \Windows\SysWOW64\normaliz.dll

Processes (total 49):
0 System Idle Process
4 System
272 C:\Windows\System32\smss.exe
408 csrss.exe
468 C:\Windows\System32\wininit.exe
476 csrss.exe
524 C:\Windows\System32\services.exe
536 C:\Windows\System32\lsass.exe
544 C:\Windows\System32\lsm.exe
576 C:\Windows\System32\winlogon.exe
724 C:\Windows\System32\svchost.exe
808 C:\Windows\System32\nvvsvc.exe
860 C:\Windows\System32\svchost.exe
924 C:\Windows\System32\svchost.exe
1012 C:\Windows\System32\svchost.exe
424 C:\Windows\System32\svchost.exe
676 C:\Windows\System32\audiodg.exe
940 C:\Windows\System32\svchost.exe
516 C:\Windows\System32\nvvsvc.exe
1152 C:\Windows\System32\svchost.exe
1320 C:\Windows\System32\dwm.exe
1348 C:\Windows\explorer.exe
1420 C:\Windows\System32\spoolsv.exe
1436 C:\Windows\System32\taskhost.exe
1472 C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
1560 C:\Windows\System32\svchost.exe
1672 C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
1760 C:\Windows\System32\svchost.exe
1796 C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
1848 C:\Windows\System32\conhost.exe
1108 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
2020 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
2116 C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
2792 C:\Windows\System32\SearchIndexer.exe
3064 C:\Program Files\Windows Media Player\wmpnetwk.exe
2680 C:\Windows\System32\svchost.exe
1368 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10a.exe
3888 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3156 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3600 taskhost.exe
3596 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3704 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3008 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
3368 C:\Windows\System32\SearchProtocolHost.exe
3344 C:\Windows\explorer.exe
280 C:\Windows\System32\SearchFilterHost.exe
3164 C:\Users\Matt\Desktop\MBRCheck.exe
2636 C:\Windows\System32\conhost.exe
3004 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x0000000a`1f500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`1f600000 (NTFS)

PhysicalDrive0 Model Number: HitachiHDP725050GLA360, Rev: GM4OA5CA

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 0C0E7F154151469D03B17DE3B60CAFCFD0398D69


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

 

[Broni]

OK, we need to fix your MBR...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

• Place a blank CD in your CD drive.
• Double click on NTBR_CD.exe file and a folder of the same name will appear.
• Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
• Follow the prompts to burn the CD.

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

• Insert the newly created CD into your infected PC and reboot your computer.
• Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
• Read the warning and then continue as prompted.
• You first need to select your keyboard layout - press Enter for English.
• Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
• On the following screen enter 5 to select Install Standard MBR code.
• Enter 2 to overwrite the infected MBR Code with the Windows 7 MBR code.
• When asked to confirm please do so.
• Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
• Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

 

[raspo86]

I am having trouble opening NTBR_CD.exe - when I double click on it, it seems like nothing happens. I do not see any other folder that opens. What do you suggest?

It said when I first tried to open it "This program may not have installed correctly" to which I clicked that it DID install correctly. Nothing happened. Then I redownloaded and tried to reopen it in a different directory...this time I chose to reinstall...still nothing.

 

[Broni]

We can try different way....

If you have Vista/7 DVD...

start with step 2

If you don't have Vista/7 DVD...

1. Create Vista/7 Recovery Disc.

Option 1 :
Vista: http://www.c4consulting.com.au/soluctions/vista/VISTA SOLUCTIONS.htm
Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

Option 2:
Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
Download Windows 7 Recovery Disc iso image: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

2. Boot from created disk.

Vista users. At first screen click on Repair your computer:

Windows 7 users. At first screen click on Install now:

Select your language and click next:

Click the button for "Use recovery tools":

The following applies to both, Vista and Windows 7 users.

This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:

After this, it will present you with a list of options including startup repair, system restore and command prompt:

Select Command Prompt

Type in:
bootrec /FixMbr (<--- there is a "space" after "bootrec")
and then press Enter

Once completed then type Exit, press Enter and restart computer.

Post fresh MBRCheck log.

 

[raspo86]

I followed instructions and now it wont boot to Windows...AHHH. What should I do? Should I try to reinstall factory image? This is getting freaky!

BTW it tries to start up and I got a quick blue screen into immediate restart of my system.

 

[Broni]

Something is going on there.
I don't believe, we broke anything by just resetting MBR.

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[raspo86]

Now it is sitting on Startup Repair screen...Im typing via my MyTouch phone and I am not sure what to do. When I typed that bootrec /FixMbr it immediately said it was successul. Then I restarted and couldnt get to Windows.

Also, my BIOS was already set to boot from CDROM first and harddrive second.

 

[Broni]

my BIOS was already set to boot from CDROM first and harddrive second.

It doesn't bother anything. It's even better.

Try to manually restart in one more time.
See, if it'll boot into Safe Mode.
If none of the above will work, you'll need another computer to create the CD from my reply #17.
That redirection is caused by something.

 

[raspo86]

I cant start Windows...not sure if I can reinstall or restore factory image. I hope I didnt screw up my BIOS or anything serious. I couldnt cancel out of Windows Repair so I just took CD out and put the Win 7 Restore CD in... hopefully I can get back to Windows.

 

[raspo86]

Now it is sitting on Startup Repair screen...Im typing via my MyTouch phone and I am not sure what to do. When I typed that bootrec /FixMbr it immediately said it was successul. Then I restarted and couldnt get to Windows.

Also, my BIOS was already set to boot from CDROM first and harddrive second.

 

[raspo86]

Okay im totally screwed I cant start up windows even after restoring factory image. Any ideas?

 

[Broni]

Well, you have two options:
1. Try what I asked you to try
2. Try to fix it yourself.

The bottom line is:
1. Resetting MBR is a standard procedure and it can't brake anything. Your booting problem is most likely caused by an infection, which shows through redirection issue.
2. No, we didn't do anything, which would mess up your BIOS.

 

[Broni]

I cant start up windows even after restoring factory image. Any ideas?

You did it already? In couple of minutes?
You must have some other issues then.
Hardware?
Hard drive? RAM?...or...

 

[raspo86]

Should I load drivers? Not sure if this issue is coming from Windows or my system. My computer just keeps restarting....